Firewall and IPv6 #887

StefanIGit · 2023-07-14T06:53:35Z

StefanIGit
Jul 14, 2023

Hi, I try to add IPv6 addresses to the extra firewall rules, but I get errors I do not understand.
I'm sure I used the correct IPv6 CIDR format, and added the "1" which is for some reason missing in the Hetzner Server Web view
So what am I doing wrong?

  extra_firewall_rules = [{
      description = "For Bastion/VPN"
      direction       = "in"
      protocol        = "tcp"
      port            = "2222"
      source_ips      = ["78.47.20.1/32", "2a01:4f8:1c1c:abcd::1/64"]
      destination_ips = [] # Won't be used for this rule
    }  ]

Error:

Error: 2a01:4f8:1c1c:abcd::1/64 is not the start of the cidr block 2a01:4f8:1c1c:abcd::/64
│ 
│   with module.kube-hetzner.hcloud_firewall.k3s,
│   on .terraform/modules/kube-hetzner/main.tf line 50, in resource "hcloud_firewall" "k3s":
│   50: resource "hcloud_firewall" "k3s" {

Answered by M4t7e

Jul 19, 2023

The problem is that 2a01:4f8:1c1c:abcd::1/64 is not a network, so basically what the error message says. You tried to add a single IP while using a /64 network range. Now it would not be clear whether only 2a01:04f8:1c1c:abcd:0000:0000:0000:0001 or the complete /64 network 2a01:04f8:1c1c:abcd:0000:0000:0000:0000 - 2a01:04f8:1c1c:abcd:ffff:ffff:ffff:ffff should be used. For this reason, you must add a network ("CIDR block") and not an IP with the subnetmask of your network.

Info: "the start of the cidr block" is always the network ID (first IP within the network). In this case 2a01:4f8:1c1c:abcd::/64

Type	Value
IP Address:	`2a01:4f8:1c1c:abcd::1/64`
Full IP Address:	`2a01:04f8:1c1c:a…`

View full answer

M4t7e · 2023-07-19T06:05:31Z

M4t7e
Jul 19, 2023
Collaborator

The problem is that 2a01:4f8:1c1c:abcd::1/64 is not a network, so basically what the error message says. You tried to add a single IP while using a /64 network range. Now it would not be clear whether only 2a01:04f8:1c1c:abcd:0000:0000:0000:0001 or the complete /64 network 2a01:04f8:1c1c:abcd:0000:0000:0000:0000 - 2a01:04f8:1c1c:abcd:ffff:ffff:ffff:ffff should be used. For this reason, you must add a network ("CIDR block") and not an IP with the subnetmask of your network.

Info: "the start of the cidr block" is always the network ID (first IP within the network). In this case 2a01:4f8:1c1c:abcd::/64

Type	Value
IP Address:	`2a01:4f8:1c1c:abcd::1/64`
Full IP Address:	`2a01:04f8:1c1c:abcd:0000:0000:0000:0001/64`
Network:	`2a01:04f8:1c1c:abcd::/64`
Network Start (first IP):	`2a01:04f8:1c1c:abcd:0000:0000:0000:0000`
Network End (last IP):	`2a01:04f8:1c1c:abcd:ffff:ffff:ffff:ffff`

Hetzner provides a full /64 network to each VM. That means a single VM can have up to 2^64 (64 bits left from 128) = more than 18 quintillion IPv6 addresses. I would suggest 2 options:

Use a single IPv6 address network: 2a01:4f8:1c1c:abcd::1/128 (1 IP)
Use the whole /64 host network: 2a01:4f8:1c1c:abcd::/64 (> 18 quintillion IPs)

Both networks are limited to the single VM, but only the last one allows you to use other IPs on the host, applying the same firewall rule.

1 reply

StefanIGit Jul 19, 2023
Author

Thank you... I totally forgot that a single IP in IPv6 has /128, the server view whit it's IP on top, in Hetzner cloud, always irritate me.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Firewall and IPv6 #887

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

Firewall and IPv6 #887

Uh oh!

StefanIGit Jul 14, 2023

Replies: 1 comment · 1 reply

Uh oh!

M4t7e Jul 19, 2023 Collaborator

Uh oh!

StefanIGit Jul 19, 2023 Author

StefanIGit
Jul 14, 2023

Replies: 1 comment 1 reply

M4t7e
Jul 19, 2023
Collaborator

StefanIGit Jul 19, 2023
Author